High Assurance Collections for Protected Data

Globus Connect Server can be configured to support high assurance collections for managing protected data. After an administrator creates a Globus Connect Server endpoint, either the administrator or their Globus subscription manager must associate the endpoint with the institution’s High Assurance or HIPAA BAA subscription. Subsequently, the administrator can create a high assurance storage gateway, including configuring a session authentication timeout period and an optional flag to require multi-factor authentication for data access. Note that the identity provider must be configured to release multi-factor authentication status to Globus. Administrators can then create a mapped collection on the high assurance storage gateway. Any mapped collection created on a high assurance storage gateway will inherit the high assurance policies of the storage gateway.

Globus Connect Personal also supports high assurance features for managing protected data. When installing Globus Connect Personal, users must choose the "High Assurance" option and specify the identity that will be used when accessing protected data on the Globus Personal Connect collection. Before the personal collection can be used, either the personal collection owner or the institution’s Globus subscription manager must associate the personal collection with a High Assurance or HIPAA BAA subscription. Any guest collection created on a high assurance Globus Connect Personal collection will inherit the high assurance policies of the Globus Connect Personal collection.

Any Globus group that grants protected data access or managed protected data access privileges must be configured by the group administrator to be a high assurance group.

High assurance collections enforce the following higher authentication assurance policies for both data access (e.g., transferring and sharing data) and collection management (e.g., creating or configuring collections, managing data sharing permissions):

For example, a researcher is logged into the Globus web app on their laptop with their primary identity last_name@campus.edu. The researcher tries to access a guest collection that a collaborator has shared with the researcher’s linked identity first_name@cloudprovider.com. The guest collection has a 60 minute timeout, and the researcher has not authenticated to the Globus web app with first_name@cloudprovider.com within the last 60 minutes. Therefore, the researcher must authenticate with first_name@cloudprovider.com before they can access the guest collection. After authenticating with first_name@cloudprovider.com on their laptop, the researcher immediately tries to access the guest collection on their phone. The researcher is prompted to authenticate again with first_name@cloudprovider.com, despite the fact that they authenticated with that identity within the last 60 minutes on their laptop.

High assurance guest collections enable users to share protected data with others. All access to high assurance guest collections must meet the high assurance authentication policies described in Section 5.1 above, regardless of whether access is granted to the guest collection through an individual permission or a group permission.

Users may share protected data only with identities from identity providers recognized by Globus. In addition, anonymous and public data sharing is disabled on high assurance guest collections.

If a user wishes to share protected data with a group of identities, the user must ensure the group is configured as a high assurance group. Any group that grants privileges to manage protected data access must also be configured as a high assurance group. High assurance groups require the following higher authentication assurance policies for authentication by the group administrator or group manager.

For example, a researcher has linked identities last_name@campus.edu and first_name@cloudprovider.com. last_name@campus.edu is an administrator on a high assurance group with a four-hour authentication timeout period. If the researcher authenticates with first_name@cloudprovider.com, the researcher will be able to see the group and its configuration. But if the researcher attempts to make any changes to the group policy or manage group membership, the researcher will be prompted to log in with last_name@campus.edu. If the researcher returns to make further changes after four hours have passed, the researcher will again be prompted to authenticate with last_name@campus.edu. If the researcher attempts to manage the group using a different device, the researcher will be prompted again to authenticate with last_name@campus.edu on the new device.

Encryption of files in transit to or from a high assurance collections is always enforced and may not be overridden by users or by administrators. Please review Network Communication in the High Assurance Security Overview for more information about encryption.

Globus Connect generates a detailed audit trail that allows reconstruction of data access and user activities. Audit logs record details of all data access events as well as activities such as login and resource management. Logs are written by Globus Connect directly to the storage system. Management of the logs, such as policies and procedures for access, encryption, and retention, are the responsibility of the subscriber.

High assurance collections can be configured to allow data access only if the identity provider asserts that multi-factor authentication was used, increasing the authentication assurance when using identity providers with optional multi-factor authentication. This feature is only available on Globus Connect Server.